The Increasing Importance of Security Analytics

The 1999 hit movie “Analyze This” can teach us a lot about the future of information security.In the movie, the main character, Paul Vitti (played by Robert DeNiro) notices a series of changes in, or departures from, his expected behavior.To get to the crux of the issue, Vitti enlists the help of Psychiatrist Ben Sobel (played by Billy Crystal) to analyze the situation.At this point, you might be, understandably, asking yourself what this could possibly have to do with the future of information security.That is a fair question of course, so let’s drill into the topic.

One thing I’ve noticed lately is that there seems to be a fundamental shift in attacker motives and attacker tools, techniques, and procedures underway.Whereas sophisticated attackers once targeted intellectual property or money, they now seem to be increasingly targeting Personally Identifiable Information (PII).That’s not to say that attackers don’t still seek blueprints and credit card numbers -- those will likely always remain a target.Rather, it is to say that PII seems to be en vogue in the attacker community at the moment.

On the tools, techniques, and procedures side, advanced attackers seem to be moving away from traditional malware and more towards using legitimate tools, often in tandem with stolen credentials. That’s not to say that malware isn’t and won’t remain a problem -- it will. Rather, the point here is that attackers are evolving -- mixing things up if you will.

The first question we need to ask ourselves is: Why is this shift happening? To answer this question, we need to take a step back and look at an attacker’s motives. The attacker is motivated by the data he or she wishes to steal. Malware is just a tool to facilitate the execution of that objective. Although far from perfect, people, process, and technology around detection and prevention of malware have improved. While having a mature security operations function and a robust incident response process is still far from universal, the percentage of organizations having them is continually rising.

As a result of this progression, we’ve seen mean-time-to-detection (MTTD) fall for organizations that take incident response and security operations seriously.For example, in the 2016 Mandiant M-Trends report, MTTD overall fell to 146 days.But when we break this number down a bit further, we can truly understand the value and return on investment (ROI) of a mature security operations function.For organizations that detect breaches internally (before being notified by a third party), the MTTD is 56 days.For organizations that do not detect breaches internally and instead depend on third party notification, the MTTD is 320 days.This divergence is quite remarkable.

The numbers show us very clearly that in order to rise to the challenges of 2016 and beyond, we need to continue to evolve our detection and prevention capabilities.As attackers begin to shift to using stolen credentials and legitimate tools for nefarious purposes, we need to be able to continue to detect malicious activity within our organizations.Sure, that is easy for me to say, but what can organizations do to rise to the challenge?

We need to continue the evolution of our detection capabilities that has already been underway for quite some time.Once upon a time, we relied on signatures to alert us to activity requiring our attention.That was a great start, but we soon realized that signatures would not suffice and that we needed to add another layer to our detection capabilities.We added dynamic analysis of malware as another means to detect malicious activity not matching any known signature.These advanced detection capabilities will not be enough to maintain adequate detection capabilities as attackers continue to evolve, most acutely in situations where no malware at all is involved.The time has come to add another layer to our detection capabilities -- analytics.Signatures and dynamic analysis of malware are still extremely valuable, and we should continue to leverage them.But we need to augment those capabilities to allow us to rise to the challenges of 2016 and beyond.

Based upon what I’ve seen, I would say that there is quite a bit of confusion around analytics in the information security space.Some people think that analytics is a set of rules or use cases.Others might think that analytics is logic to look for a series of events happening in succession.While these are interesting approaches to detecting malicious activity and can be useful in some cases, they’re not actually true analytics.Further, I know from my operational experience that many ideas and approaches that seem good in theory or on paper often produce a large number of false positives and very little, if any, actionable information.I don’t know of anyone that wants to add more noise to the alert fatigue problem.

So what is analytics?Analytics is actually more a philosophy, mentality, and approach (an analytical approach one might say) than anything else.Here is where we come back to the important lesson that Robert DeNiro and Billy Crystal taught us through the school of laughs.

What are we actually trying to do by using analytics to mature to the next generation of detection capabilities?If we boil the issue to its essence, it would seem to me that we’re looking to efficiently and effectively identify departures from expected user behavior.In other words, regardless of whether an attacker uses malicious code or a legitimate tool, if we can detect a departure from the expected behavior for a user or a system (server, desktop, laptop, thin client, tablet, mobile, or otherwise) and correlate between different events more effictively, we stand a far better chance of maintaining our ability to detect malicious or suspicious activity in a timely manner.

Analytics is becoming ever more important, and in my opinion, it is an important part of the future of information security.I’m intrigued by the emerging set of User Behavior Analytics (UBA) solutions that we are now seeing, and I think that they can do a lot to help us rise to the challenges that await us.The evidence clearly shows that attackers are continuing to evolve and mature their capabilities.Shouldn’t we do the same?

Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA and also serves as Security Advisor to ExtraHop. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.